Skip to content

Global ExtAuthz authPolicy.context not setting grpc initial_metadata #7048

New issue
New issue
Open
Open
Global ExtAuthz authPolicy.context not setting grpc initial_metadata#7048
Labels
kind/bugCategorizes issue or PR as related to a bug.lifecycle/needs-triageIndicates that an issue needs to be triaged by a project contributor.
@prodion23

Description

@prodion23
prodion23
opened on May 13, 2025

What steps did you take and what happened:
Follow this guide: https://projectcontour.io/docs/1.25/guides/external-authorization/

This was my globalExtAuth config:

contour.yaml: |
    disablePermitInsecure: false
    globalExtAuth:
      extensionService: service/my-ext-authz
      failOpen: true
      authPolicy:
        disabled: false
        context:
          "my-module-name": "envoy"
          "my-service-name": "contour"
          "test": "test"
      responseTimeout: 200ms
      withRequestBody:
        maxRequestBytes: 10240
        packAsBytes: true
        allowPartialMessage: true

However, when the ext_authz filter config is propagated to envoy, it doesn't include the context as metadata/headers:

From the envoy logs:

[2025-05-09 22:34:01.445][1][debug][config] [source/common/listener_manager/listener_manager_impl.cc:106]   config: 
...
{"name":"envoy.filters.http.ext_authz","typed_config":{"@type":"type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz","grpc_service":

{"envoy_grpc":{"cluster_name":"extension/service/my-ext-authz","authority":"extension.service.my-ext-authz"}},"failure_mode_allow":true,"with_request_body":

{"max_request_bytes":10240,"allow_partial_message":true,"pack_as_bytes":true},"clear_route_cache":true,"status_on_error":{"code":"Forbidden"},"include_peer_certificate":true,"transport_api_version":"V3"}},{"name":"router","typed_config":

{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"http_protocol_options":{"accept_http_10":true,"allow_chunked_length":true},"access_log":

[{"name":"envoy.access_loggers.file","typed_config":

{"@type":"type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog","path":"/dev/stdout"}}],"use_remote_address":true,"normalize_path":true,"preserve_external_request_id":true,"merge_slashes":true,"common_http_protocol_options":{"idle_timeout":"60s"}}

What did you expect to happen:
I expected the envoy ext_authz filter to include an initial_metadata field that contained the globalExtAuthz.authPolicy.context key/value pairs.

I thought based on the field description:

Context is a set of key/value pairs that are sent to the authentication server in the check request. If a context is provided at an enclosing scope, the entries are merged such that the inner scope overrides matching keys from the outer scope.

That maybe they wouldn't appear in the ext_auth config but somehow get sent another way, but on my ext_authz server those headers weren't present on the request.

Environment:

  • Contour version: v1.30.3
  • Kubernetes version: (use kubectl version): v1.30.5
  • Kubernetes installer & version: Docker desktop for mac
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.lifecycle/needs-triageIndicates that an issue needs to be triaged by a project contributor.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions